The United States may be forced to redesign an unnamed new weapon system now under development – because tech specs and plans were stolen from a defence contractor's databases.
Reuters and Aviation Week report on the revelation by US Deputy Defense Secretary William Lynn, made in the course of announcing beefed-up cyber defences …

'ang on...

really?

Roadsign Deaths

I'm originally from far Eastern Tennessee and road signs without at least one bullet hole or scatter gun holes is a rarity. Sometimes on really slow days people get tired of shooting the signs and just run them over with their trucks.

Re : AC About the "security" of cloud services

"Am I the only person on the planet who thinks that "the cloud" or SAAS over the Internet is a ghastly mistake?"

I missed the bit when somebody suggested hosting miltech data on 3rd party cloud data services - i'd like to think that there isn't anyone stupid to ever do anything like that, but i'd not bet a huge amount on that.

Cloud services are fine for certain purposes, they are not a universal solution for data storage - but that's hardly news.

the cloud is a ghastly mistake?

> we are being persuaded (Amazon, Google, IBM) that commercial cloud services are the wave of the future. .. Am I the only person on the planet who thinks that "the cloud" or SAAS over the Internet is a ghastly mistake? ..

Re: solemn beliefs

"What next - are banks going to talk about cyber matrix clones hacking thevirtual reality grid? Sorry, I have to go - I'm choking to death on a corn flake." ..... David W. Posted Friday 15th July 2011 13:57 GMT

If that was meant to written, David W. ..... "What next - are banks going to talk about cyber matrix clones hacking their virtual reality grid?" ..... then probably definitely yes is the answer to that question, with the perps being obscenely well paid to keep their methodology to themselves and say nothing to anybody about how they become so suddenly, instantly wealthy. Although it will probably be nothing that they [the banks] will talk about, even amongst themselves, lest that which is used against their systems is used by others within their systems to, in effect, hold them to extortionate ransom, which is an interesting novel reversal of their great fortune, methinks, whenever one considers the too-big-to-fail model which is failing them and yet which lines their pockets with flash cash to squander on toxic crap.

And whereas some may consider and proclaim such an enterprise as a questionable or criminal hack, a great many more would just recognise and herald such a dire state of affairs as poetic natural justice delivered, and in some cases would it be just so.

On the bright side,

as we're not talking about the loss of mere consumer data (because as we all know, the little people will always come back for more regardless of the abuses they suffer) but actual valuable data whose theft or damage has actual measurable financial impact on the company and its future, maybe we'll see a bit of improvement in the whole security thing.

Working on top secret government projects you say? Not using a sensibly configured mandatory access control system? Don't see the point of SELinux or TrustedBSD? Gosh, that sounds an awful lot like treason old chap. Do put on this blindfold and stand against the wall, and I'll go bring in the next contract bidder.

You might think

Er...Internetz anyone?

Surely the simplest answer is to pull the plug on the internet connection for any equipment that houses or has access to such data? The terminals can operate on an internal network but I struggle to see why an internet connection would be required for R&D of military equipment.

Have a standalone terminal with an internet connection for all the lunchtime facebook browsing etc.

You're right!

Internet access

like AC said I am amazed they keep such sensitive infomation on computers that can be access by the internet , the risks are knowen but seem to be conveiniantlly forgoten , I guess some emplyees there need critical infomation for their job from the youtube and facebook and such sites , the shit I received from the employees from our company when i blocked these site was unreal and the exuses i heard where hillearious to say the least :)

Apparently

It's some crazy balloon, rocket spy thing.

They don't know who stole the plans, but the criminal mastermind goes by the name 'L'Ester' and is currently hiding at his secret volcano lair / donkey sanctuary deep in the Spanish mountains where he is designing a deep fat fried weapon of mass destruction.

A special operations unit made up from slightly shop-soiled supermodels is being formed to extradite him back to Guantanamo Bay where he will be chased by large spiders harvested from German supermarkets to the sound of Icelandic elf songs.

Cheapskates

did some tech support for a uk company in the 90s...

that did some work for govt. secret areas were separate, locked and connected to a separate set of servers (locked room from main server aisle) via fibre. that room had NO other external data connections. If any of us were in there we had to have somebody else in the room. bust hard drives went into a locked safe in that room until we did a secure rubbish run.

that.s how you keep things safe. can i have my £300,000,000 security consulting fee now please?

I'm not sure...

Are we suggesting

We need a bullshit icon.

Because I'm smelling it from reading the article. In lieu of that, I'm using the "Esc" icon, due to the suspicious brown substance in the pic.

So what bit of the article enraged me? A little bit of this.

"Marine Corps Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, said the Pentagon must shift its thinking on cybersecurity from focusing 90 percent of its energy on building better firewalls and only 10 percent on preventing hackers from attacking U.S. systems."

The thought's ok - 90% spent on firewalls is excessive. But I think he misses the point. _Physical security_ is a far better answer, as many commenters have pointed out already. Have your databases in separate networks from the web, and limit access to those who need it. And do those machines have USB ports? If so, remove them, because it's an easy way for spies to get at secrets. Firewalls should be completely redundant.

However, my real scorn goes to this comment.

"Cartwright said most viruses are only a couple hundred lines of computer code, but the patches to fix the holes they exploit can run into millions of lines of code."

Oh my fucking god. Either the General is lying (because the patch should be a couple of orders less in lines of code), or the code has more holes than swiss cheese. And how likely is it that those millions of line of code introduce a few other unintended vulnerabilities along the way? (We are talking about patches written by tax-paid-out defense contractors, aren't we, rather than third-parties like OS and anti-viral manufacturers? It's not clear from the article, but that's the sense I get.)

Here's an idea, General. In addition to the physical security mechanism already used, how about using the security features that come with the OS - access control lists and user permissions? That should restrict the freedom for viruses to damage your systems. Oh, and don't forget about disabling AutoRun.

And if your systems still need million-of-line-patches afterwards because the Bride-of-the-son-of-Conficker comes along, then your code is shit, as is the defense contractors that wrote it. Sack them. Alternately, if the access control lists and the user permissions _break_ their software, sack them and bill them for wasting government money. A bit extreme, but the US Government needs all the cash they get at the moment.

Course you won't do that, General. A man's got to think of his retirement, and what's better than a well-paid sinecure in a defense contractor's board of directors? Sacking contractors would make waves, and you don't do that in Washington, do you?

To be sure, to be sure, AC, it is a virile field of feverish activity with many wanting a piece of the action but precious few well enough equipped/staffed to perform and provide any satisfaction .......

"In Defence of the Realm, One does as One Needs to Succeed.

Posted Friday 15th July 2011 14:36 GMT

That was a nice touch on this week's BOFH web page .... the carrying of a situations vacant advertisement for an "IT Security Exploitation Officer" in MI5. Presumably that is .milspeak for a crack hacker and super duper spooky person, both of which are as rare as hens' teeth and an even rarer find whenever seamlessly combined in the one excellent agent." ..... http://amanfrommars.blogspot.com/2011/07/110715.html

Pay peanuts, get monkeys ..... https://www.mi5.gov.uk/careers/showjob.aspx?id=128 ..... and many before have said that Military Intelligence is oxymoronic.

Churchill said...

And the sheep take off

After reading the comments, it stuck me that like a flock of sheep you are all leaping to conclusions. Nowhere in the article does it say the data was extracted using the internet. Nowhere does it say the computers were even connected to the internet.

For all we know, this might be like Stuxnet - computers not attached to the internet were attacked via a USB virus. Or move likely someone trusted simply connected a phone to the corporate LAN, and walked out the door with 30 Gb of state secrets on a micro SD card smaller than a finger nail.

Paris because on a site supposedly dedicated to IT, the comments here are simply sad.

Windows faggotry

@flippertheidiot

The transcript of the speech the article was about starts:

"WASHINGTON, July 14, 2011 – The Defense Department’s first strategy for operating in cyberspace is a milestone in the fight to protect the nation from potentially devastating network attacks, Deputy Defense Secretary William J. Lynn III said today."